Difference between revisions of "Automated Audit using W3AF"

From OWASP
Jump to: navigation, search
(Add notepad++ highlighter)
m (Add VIM syntax file)
 
(17 intermediate revisions by one user not shown)
Line 1: Line 1:
Last revision (mm/dd/yy): '''01/12/2012'''
+
Last revision (mm/dd/yy): '''04/27/2013'''
  
==Description==
+
<pre style="color:#088A08">This type of article aims to provide to development team a easy/quick way to perform automated audit tests against their web application projects over implementation phase.</pre>
  
 +
==Description==
 
This page have to objective to show a W3AF sample script to automate audit of a web application.  
 
This page have to objective to show a W3AF sample script to automate audit of a web application.  
  
W3AF is a free and open source Web Application Attack and Audit Framework ([http://w3af.sourceforge.net/ W3AF homepage]).
+
W3AF is a free and open source Web Application Attack and Audit Framework ([http://w3af.org/ W3AF homepage]).
  
 
''This script do not replace a manual audit but can be useful to perform a first validation''.
 
''This script do not replace a manual audit but can be useful to perform a first validation''.
  
==Script==
+
==Script content==
 
+
 
<pre>
 
<pre>
 
# -----------------------------------------------------------------------------------------------------------
 
# -----------------------------------------------------------------------------------------------------------
 
#                                              W3AF AUDIT SCRIPT FOR WEB APPLICATION
 
#                                              W3AF AUDIT SCRIPT FOR WEB APPLICATION
 
# -----------------------------------------------------------------------------------------------------------
 
# -----------------------------------------------------------------------------------------------------------
 +
#Configure HTTP settings
 
http-settings
 
http-settings
set timeout 60
+
set timeout 30
 +
back
 +
#Configure scanner global behaviors
 +
misc-settings
 +
set max_discovery_time 20
 +
set fuzz_cookies True
 +
set fuzz_form_files True
 +
set fuzz_url_parts True
 +
set fuzz_url_filenames True
 
back
 
back
 
plugins
 
plugins
# Step 1 : Configure DISCOVERY plugins
+
#Configure entry point (CRAWLING) scanner
discovery serverHeader, dotNetErrors, webSpider
+
crawl web_spider
discovery config serverHeader
+
crawl config web_spider
set execOneTime True
+
set only_forward False
 +
set ignore_regex (?i)(logout|disconnect|signout|exit)+
 
back
 
back
discovery config webSpider
+
#Configure vulnerability scanners
set onlyForward False
+
##Specify list of AUDIT plugins type to use
set followRegex .*
+
audit blind_sqli, buffer_overflow, cors_origin, csrf, eval, file_upload, ldapi, lfi, os_commanding, phishing_vector, redos, response_splitting, sqli, xpath, xss, xst
 +
##Customize behavior of each audit plugin when needed
 +
audit config file_upload
 +
set extensions jsp,php,php2,php3,php4,php5,asp,aspx,pl,cfm,rb,py,sh,ksh,csh,bat,ps,exe
 
back
 
back
# Step 2 : Configure AUDIT plugins
+
##Specify list of GREP plugins type to use (grep plugin is a type of plugin that can find also vulnerabilities or informations disclosure)
audit LDAPi,eval,frontpage,generic,globalRedirect,phishingVector,responseSplitting,sqli,xpath,xsrf,xss,xst
+
grep analyze_cookies, click_jacking, code_disclosure, cross_domain_js, csp, directory_indexing, dom_xss, error_500, error_pages,  
audit config xss
+
html_comments, objects, path_disclosure, private_ip, strange_headers, strange_http_codes, strange_parameters, strange_reason, url_session, xss_protection_header
set numberOfChecks 15
+
##Specify list of INFRASTRUCTURE plugins type to use (infrastructure plugin is a type of plugin that can find informations disclosure)
 +
infrastructure server_header, server_status, domain_dot, dot_net_errors
 +
#Configure target authentication
 +
auth detailed
 +
auth config detailed
 +
set username admin
 +
set password password
 +
set method POST
 +
set auth_url http://pcdom/dvwa/login.php
 +
set username_field user
 +
set password_field pass
 +
set check_url http://pcdom/dvwa/index.php
 +
set check_string 'admin'
 +
set data_format username=%U&password=%P&Login=Login
 
back
 
back
# Step 3 : Configure GREP plugins
+
#Configure reporting in order to generate an HTML report
grep error500, domXss, metaTags, dotNetEventValidation, findComments, pathDisclosure, collectCookies, errorPages, httpAuthDetect
+
output console, html_file
grep config domXss
+
output config html_file
set simpleGrep False
+
set output_file /tmp/W3afReport.html
set smartGrep True
+
set verbose False
back
+
grep config metaTags
+
set search404 False
+
back
+
grep config findComments
+
set search404 False
+
 
back
 
back
# Step 4 : Configure OUTPUT plugins
+
output config console
output htmlFile
+
output config htmlFile
+
set fileName /tmp/W3afReport.html
+
 
set verbose False
 
set verbose False
 
back
 
back
 
back
 
back
# Step 5 : Define target URL
+
#Set target informations, do a cleanup and run the scan
target
+
target  
set target PUT_YOUR_SITE_URL_HERE
+
set target http://pcdom/dvwa
 +
set target_os windows
 +
set target_framework php
 
back
 
back
# Step 6 : Start audit
+
cleanup
 
start
 
start
exit
 
 
</pre>
 
</pre>
  
==Run it==
+
Here the application [http://www.dvwa.co.uk/ Damn Vulnerable Web Application] as been used as target application.
 +
 
 +
==Script run==
 
<pre>
 
<pre>
 
./w3af_console ­-s MyScript.w3af
 
./w3af_console ­-s MyScript.w3af
 
</pre>
 
</pre>
 +
 
After the script runs, the audit report is available in the location defined in clause "'''set fileName'''" ("'''/tmp/W3afReport.html'''" in the script example).
 
After the script runs, the audit report is available in the location defined in clause "'''set fileName'''" ("'''/tmp/W3afReport.html'''" in the script example).
  
 
==Script edition==
 
==Script edition==
You can find below a highlighter for Notepad++ in order to help to edit W3AF script (copy/paste content into a file and import it into Notepad++).
+
A VIM syntax file is available [http://www.vim.org/scripts/script.php?script_id=4567 here]...
<pre>
+
<NotepadPlus>
+
    <UserLang name="W3AF Script" ext="w3af">
+
        <Settings>
+
            <Global caseIgnored="yes" />
+
            <TreatAsSymbol comment="no" commentLine="no" />
+
            <Prefix words1="no" words2="no" words3="no" words4="no" />
+
        </Settings>
+
        <KeywordLists>
+
            <Keywords name="Delimiters">000000</Keywords>
+
            <Keywords name="Folder+"></Keywords>
+
            <Keywords name="Folder-"></Keywords>
+
            <Keywords name="Operators"></Keywords>
+
            <Keywords name="Comment"> 1 2 0#</Keywords>
+
            <Keywords name="Words1">start plugins exploit profiles http&#x00AD;settings misc&#x00AD;settings target back assert help version keys view set</Keywords>
+
            <Keywords name="Words2">mangle evasion discovery grep bruteforce audit output</Keywords>
+
            <Keywords name="Words3"></Keywords>
+
            <Keywords name="Words4"></Keywords>
+
        </KeywordLists>
+
        <Styles>
+
            <WordsStyle name="DEFAULT" styleID="11" fgColor="000000" bgColor="FFFFFF" fontStyle="0" />
+
            <WordsStyle name="FOLDEROPEN" styleID="12" fgColor="000000" bgColor="FFFFFF" fontStyle="0" />
+
            <WordsStyle name="FOLDERCLOSE" styleID="13" fgColor="000000" bgColor="FFFFFF" fontStyle="0" />
+
            <WordsStyle name="KEYWORD1" styleID="5" fgColor="000080" bgColor="FFFFFF" fontStyle="3" />
+
            <WordsStyle name="KEYWORD2" styleID="6" fgColor="800040" bgColor="FFFFFF" fontStyle="3" />
+
            <WordsStyle name="KEYWORD3" styleID="7" fgColor="000000" bgColor="FFFFFF" fontStyle="0" />
+
            <WordsStyle name="KEYWORD4" styleID="8" fgColor="000000" bgColor="FFFFFF" fontStyle="0" />
+
            <WordsStyle name="COMMENT" styleID="1" fgColor="000000" bgColor="FFFFFF" fontStyle="0" />
+
            <WordsStyle name="COMMENT LINE" styleID="2" fgColor="008040" bgColor="FFFFFF" fontStyle="1" />
+
            <WordsStyle name="NUMBER" styleID="4" fgColor="000000" bgColor="FFFFFF" fontStyle="0" />
+
            <WordsStyle name="OPERATOR" styleID="10" fgColor="000000" bgColor="FFFFFF" fontStyle="0" />
+
            <WordsStyle name="DELIMINER1" styleID="14" fgColor="000000" bgColor="FFFFFF" fontStyle="0" />
+
            <WordsStyle name="DELIMINER2" styleID="15" fgColor="000000" bgColor="FFFFFF" fontStyle="0" />
+
            <WordsStyle name="DELIMINER3" styleID="16" fgColor="000000" bgColor="FFFFFF" fontStyle="0" />
+
        </Styles>
+
    </UserLang>
+
</NotepadPlus>
+
</pre>
+
 
+
  
  
 
[[Category:Code Snippet]]
 
[[Category:Code Snippet]]
 +
 
[[Category:Automated Audit]]
 
[[Category:Automated Audit]]
 +
 
[[Category:Audit Script]]
 
[[Category:Audit Script]]
 +
 
[[Category:Externally Linked Page]]
 
[[Category:Externally Linked Page]]

Latest revision as of 15:19, 30 April 2013

Last revision (mm/dd/yy): 04/27/2013

This type of article aims to provide to development team a easy/quick way to perform automated audit tests against their web application projects over implementation phase.

Contents

Description

This page have to objective to show a W3AF sample script to automate audit of a web application.

W3AF is a free and open source Web Application Attack and Audit Framework (W3AF homepage).

This script do not replace a manual audit but can be useful to perform a first validation.

Script content

# -----------------------------------------------------------------------------------------------------------
#                                              W3AF AUDIT SCRIPT FOR WEB APPLICATION
# -----------------------------------------------------------------------------------------------------------
#Configure HTTP settings
http-settings
set timeout 30
back
#Configure scanner global behaviors
misc-settings
set max_discovery_time 20
set fuzz_cookies True
set fuzz_form_files True
set fuzz_url_parts True
set fuzz_url_filenames True
back
plugins
#Configure entry point (CRAWLING) scanner
crawl web_spider
crawl config web_spider
set only_forward False
set ignore_regex (?i)(logout|disconnect|signout|exit)+
back
#Configure vulnerability scanners
##Specify list of AUDIT plugins type to use
audit blind_sqli, buffer_overflow, cors_origin, csrf, eval, file_upload, ldapi, lfi, os_commanding, phishing_vector, redos, response_splitting, sqli, xpath, xss, xst
##Customize behavior of each audit plugin when needed
audit config file_upload
set extensions jsp,php,php2,php3,php4,php5,asp,aspx,pl,cfm,rb,py,sh,ksh,csh,bat,ps,exe
back
##Specify list of GREP plugins type to use (grep plugin is a type of plugin that can find also vulnerabilities or informations disclosure)
grep analyze_cookies, click_jacking, code_disclosure, cross_domain_js, csp, directory_indexing, dom_xss, error_500, error_pages, 
html_comments, objects, path_disclosure, private_ip, strange_headers, strange_http_codes, strange_parameters, strange_reason, url_session, xss_protection_header
##Specify list of INFRASTRUCTURE plugins type to use (infrastructure plugin is a type of plugin that can find informations disclosure)
infrastructure server_header, server_status, domain_dot, dot_net_errors
#Configure target authentication
auth detailed
auth config detailed
set username admin
set password password
set method POST
set auth_url http://pcdom/dvwa/login.php
set username_field user	
set password_field pass
set check_url http://pcdom/dvwa/index.php
set check_string 'admin'
set data_format username=%U&password=%P&Login=Login
back
#Configure reporting in order to generate an HTML report
output console, html_file
output config html_file
set output_file /tmp/W3afReport.html
set verbose False
back
output config console
set verbose False
back
back
#Set target informations, do a cleanup and run the scan
target 
set target http://pcdom/dvwa
set target_os windows
set target_framework php
back
cleanup
start

Here the application Damn Vulnerable Web Application as been used as target application.

Script run

./w3af_console ­-s MyScript.w3af

After the script runs, the audit report is available in the location defined in clause "set fileName" ("/tmp/W3afReport.html" in the script example).

Script edition

A VIM syntax file is available here...